zefie/minisrv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix issue where users could bypass username sanity checks with direct urls

Browse Source
This commit is contained in:
zefie
2022-10-22 18:15:15 -04:00
parent 5055f862b0
commit 745de7de1f
3 changed files with 45 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js
View File

@@ -1,5 +1,6 @@
var minisrv_service_file = true; var minisrv_service_file = true;
if (!request_headers.query.registering || if (!request_headers.query.registering ||
!request_headers.query.subscriber_name || !request_headers.query.subscriber_name ||
!request_headers.query.subscriber_username || !request_headers.query.subscriber_username ||
@@ -8,11 +9,23 @@ if (!request_headers.query.registering ||
!session_data.session_store || !session_data.session_store ||
!session_data || !session_data ||
!socket.ssid !socket.ssid
) { ) {
var errpage = wtvshared.doErrorPage(400); var errpage = wtvshared.doErrorPage(400);
headers = errpage[0]; headers = errpage[0];
data = errpage[1]; data = errpage[1];
} else { } else {
var errpage = null;
const WTVRegister = require(classPath + "/WTVRegister.js")
var wtvr = new WTVRegister(minisrv_config, SessionStore);
if (!request_headers.query.subscriber_username) errpage = wtvshared.doErrorPage(400, "Please enter a username.");
else if (request_headers.query.subscriber_username.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters.");
else if (request_headers.query.subscriber_username.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters.");
else if (!wtvr.checkUsernameSanity(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
else if (!wtvr.checkUsernameAvailable(request_headers.query.subscriber_username)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username.");
if (errpage) {
headers = errpage[0];
data = errpage[1];
} else {
session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name); session_data.setSessionData("subscriber_name", request_headers.query.subscriber_name);
session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username); session_data.setSessionData("subscriber_username", request_headers.query.subscriber_username);
session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact); session_data.setSessionData("subscriber_contact", request_headers.query.subscriber_contact);
@@ -111,4 +124,5 @@ connect to the Internet by choosing
</html> </html>
`; `;
} }
}
} }

7
zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js
View File

@@ -17,8 +17,15 @@ if (!errpage) {
if (!errpage) { if (!errpage) {
if (session_data.getNumberOfUserAccounts() > minisrv_config.config.user_accounts.max_users_per_account) errpage = wtvshared.doErrorPage(400, "You are not authorized to add more than " + minisrv_config.config.user_accounts.max_users_per_account + ` account${minisrv_config.config.user_accounts.max_users_per_account > 1 ? 's' : ''}.`); if (session_data.getNumberOfUserAccounts() > minisrv_config.config.user_accounts.max_users_per_account) errpage = wtvshared.doErrorPage(400, "You are not authorized to add more than " + minisrv_config.config.user_accounts.max_users_per_account + ` account${minisrv_config.config.user_accounts.max_users_per_account > 1 ? 's' : ''}.`);
if (!request_headers.query.user_name) errpage = wtvshared.doErrorPage(400, "Please enter a username.");
else if (request_headers.query.user_name.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters.");
else if (request_headers.query.user_name.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters.");
else if (!wtvr.checkUsernameSanity(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
else if (!wtvr.checkUsernameAvailable(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username.");
} }
if (errpage) { if (errpage) {
headers = errpage[0]; headers = errpage[0];
data = errpage[1]; data = errpage[1];

1
zefie_wtvp_minisrv/includes/WTVRegister.js
View File

@@ -37,7 +37,6 @@ class WTVRegister {
if (this.minisrv_config.config.user_accounts.reserved_names) { if (this.minisrv_config.config.user_accounts.reserved_names) {
Object.keys(this.minisrv_config.config.user_accounts.reserved_names).forEach((k) => { Object.keys(this.minisrv_config.config.user_accounts.reserved_names).forEach((k) => {
if (self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase() == username.toLowerCase()) return_val = true; if (self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase() == username.toLowerCase()) return_val = true;
console.log(self.minisrv_config.config.user_accounts.reserved_names[k].toLowerCase(), username.toLowerCase(), return_val)
}) })
} }